GNU bug report logs -
#53607
[PATCH] git-authenticate: Test introductory commit signature verification.
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Fri, 28 Jan 2022 17:11:02 UTC
Severity: normal
Tags: patch, security
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 53607 in the body.
You can then email your comments to 53607 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
maximedevos <at> telenet.be, attila <at> lendvai.name, guix-patches <at> gnu.org:
bug#53607; Package
guix-patches.
(Fri, 28 Jan 2022 17:11:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to
maximedevos <at> telenet.be, attila <at> lendvai.name, guix-patches <at> gnu.org.
(Fri, 28 Jan 2022 17:11:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
These tests mimic similar tests already in 'tests/channels.scm', but
without using the higher-level 'authenticate-channel'.
* tests/git-authenticate.scm ("introductory commit, valid signature")
("introductory commit, missing signature")
("introductory commit, wrong signature"): New tests.
---
tests/git-authenticate.scm | 106 ++++++++++++++++++++++++++++++++++++-
1 file changed, 105 insertions(+), 1 deletion(-)
Hello!
(Cc: Maxime + Attila since you’ve already looked into this code.)
This patch adds tests to ensure that an invalidate introductory commit
signature and lack of a signature on the introductory commit both lead
to an error.
These tests do not uncover any problem. In fact, this behavior was
already tested in ‘tests/channels.scm’, but using the higher-level
‘authenticate-channel’ procedure.
They were prompted by Attila’s comments in <https://issues.guix.gnu.org/50814>
and by investigations that led to the bug fix I’m about to send (separately).
Thoughts?
Thanks,
Ludo’.
diff --git a/tests/git-authenticate.scm b/tests/git-authenticate.scm
index f66ef191b0..6ec55fb2e5 100644
--- a/tests/git-authenticate.scm
+++ b/tests/git-authenticate.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2020 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2020, 2022 Ludovic Courtès <ludo <at> gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -20,12 +20,17 @@ (define-module (test-git-authenticate)
#:use-module (git)
#:use-module (guix git)
#:use-module (guix git-authenticate)
+ #:use-module ((guix channels) #:select (openpgp-fingerprint))
+ #:use-module ((guix diagnostics)
+ #:select (formatted-message? formatted-message-arguments))
#:use-module (guix openpgp)
+ #:use-module ((guix tests) #:select (random-text))
#:use-module (guix tests git)
#:use-module (guix tests gnupg)
#:use-module (guix build utils)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-34)
+ #:use-module (srfi srfi-35)
#:use-module (srfi srfi-64)
#:use-module (rnrs bytevectors)
#:use-module (rnrs io ports))
@@ -327,4 +332,103 @@ (define (correct? c commit)
#:keyring-reference "master")
'failed)))))))
+(unless (gpg+git-available?) (test-skip 1))
+(test-assert "introductory commit, valid signature"
+ (with-fresh-gnupg-setup (list %ed25519-public-key-file
+ %ed25519-secret-key-file)
+ (let ((fingerprint (key-fingerprint %ed25519-public-key-file)))
+ (with-temporary-git-repository directory
+ `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
+ get-string-all))
+ (add ".guix-authorizations"
+ ,(object->string
+ `(authorizations (version 0)
+ ((,(key-fingerprint
+ %ed25519-public-key-file)
+ (name "Charlie"))))))
+ (commit "zeroth commit" (signer ,fingerprint))
+ (add "a.txt" "A")
+ (commit "first commit" (signer ,fingerprint)))
+ (with-repository directory repository
+ (let ((commit0 (find-commit repository "zero"))
+ (commit1 (find-commit repository "first")))
+ ;; COMMIT0 is signed with the right key, and COMMIT1 is fine.
+ (authenticate-repository repository
+ (commit-id commit0)
+ (openpgp-fingerprint fingerprint)
+ #:keyring-reference "master"
+ #:cache-key (random-text))))))))
+
+(unless (gpg+git-available?) (test-skip 1))
+(test-equal "introductory commit, missing signature"
+ 'intro-lacks-signature
+ (with-fresh-gnupg-setup (list %ed25519-public-key-file
+ %ed25519-secret-key-file)
+ (let ((fingerprint (key-fingerprint %ed25519-public-key-file)))
+ (with-temporary-git-repository directory
+ `((add "signer.key" ,(call-with-input-file %ed25519-public-key-file
+ get-string-all))
+ (add ".guix-authorizations"
+ ,(object->string
+ `(authorizations (version 0)
+ ((,(key-fingerprint
+ %ed25519-public-key-file)
+ (name "Charlie"))))))
+ (commit "zeroth commit") ;unsigned!
+ (add "a.txt" "A")
+ (commit "first commit" (signer ,fingerprint)))
+ (with-repository directory repository
+ (let ((commit0 (find-commit repository "zero")))
+ ;; COMMIT0 is not signed.
+ (guard (c ((formatted-message? c)
+ ;; Message like "commit ~a lacks a signature".
+ (and (equal? (formatted-message-arguments c)
+ (list (oid->string (commit-id commit0))))
+ 'intro-lacks-signature)))
+ (authenticate-repository repository
+ (commit-id commit0)
+ (openpgp-fingerprint fingerprint)
+ #:keyring-reference "master"
+ #:cache-key (random-text)))))))))
+
+(unless (gpg+git-available?) (test-skip 1))
+(test-equal "introductory commit, wrong signature"
+ 'wrong-intro-signing-key
+ (with-fresh-gnupg-setup (list %ed25519-public-key-file
+ %ed25519-secret-key-file
+ %ed25519-2-public-key-file
+ %ed25519-2-secret-key-file)
+ (let ((fingerprint (key-fingerprint %ed25519-public-key-file))
+ (wrong-fingerprint (key-fingerprint %ed25519-2-public-key-file)))
+ (with-temporary-git-repository directory
+ `((add "signer1.key" ,(call-with-input-file %ed25519-public-key-file
+ get-string-all))
+ (add "signer2.key" ,(call-with-input-file %ed25519-2-public-key-file
+ get-string-all))
+ (add ".guix-authorizations"
+ ,(object->string
+ `(authorizations (version 0)
+ ((,(key-fingerprint
+ %ed25519-public-key-file)
+ (name "Charlie"))))))
+ (commit "zeroth commit" (signer ,wrong-fingerprint))
+ (add "a.txt" "A")
+ (commit "first commit" (signer ,fingerprint)))
+ (with-repository directory repository
+ (let ((commit0 (find-commit repository "zero"))
+ (commit1 (find-commit repository "first")))
+ ;; COMMIT0 is signed with the wrong key--not the one passed as the
+ ;; SIGNER argument to 'authenticate-repository'.
+ (guard (c ((formatted-message? c)
+ ;; Message like "commit ~a signed by ~a instead of ~a".
+ (and (equal? (formatted-message-arguments c)
+ (list (oid->string (commit-id commit0))
+ wrong-fingerprint fingerprint))
+ 'wrong-intro-signing-key)))
+ (authenticate-repository repository
+ (commit-id commit0)
+ (openpgp-fingerprint fingerprint)
+ #:keyring-reference "master"
+ #:cache-key (random-text)))))))))
+
(test-end "git-authenticate")
base-commit: e778910bdfc68c60a5be59aac93049d32feae904
--
2.34.0
Added tag(s) security.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Sat, 29 Jan 2022 10:39:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Mon, 14 Feb 2022 10:31:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ludovic Courtès <ludo <at> gnu.org>:
bug acknowledged by developer.
(Mon, 14 Feb 2022 10:31:01 GMT)
Full text and
rfc822 format available.
Message #12 received at 53607-done <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> skribis:
> These tests mimic similar tests already in 'tests/channels.scm', but
> without using the higher-level 'authenticate-channel'.
>
> * tests/git-authenticate.scm ("introductory commit, valid signature")
> ("introductory commit, missing signature")
> ("introductory commit, wrong signature"): New tests.
> ---
> tests/git-authenticate.scm | 106 ++++++++++++++++++++++++++++++++++++-
> 1 file changed, 105 insertions(+), 1 deletion(-)
>
> Hello!
>
> (Cc: Maxime + Attila since you’ve already looked into this code.)
>
> This patch adds tests to ensure that an invalidate introductory commit
> signature and lack of a signature on the introductory commit both lead
> to an error.
>
> These tests do not uncover any problem. In fact, this behavior was
> already tested in ‘tests/channels.scm’, but using the higher-level
> ‘authenticate-channel’ procedure.
>
> They were prompted by Attila’s comments in <https://issues.guix.gnu.org/50814>
> and by investigations that led to the bug fix I’m about to send (separately).
I went ahead and pushed it as 36cb04df96623ffe8f1074172a4ed9e51bcf6e3a.
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 14 Mar 2022 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 193 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.